R. Canetti, O. Goldreich, and S. Halevi, The random oracle model, revisited, http: //eprint.iacr.org/1998/011.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....AONT, stimulated a lot of subsequent research and achieved essentially the best possible AONT s in the Random Oracle model. However, analysis in the Random Oracle model provides only a limited security guarantee for real life schemes where the random oracle is replaced with an actual hash function [18]. Subsequent to our work, Desai [21] gave another provable construction of an AONT (based on the original informal construction of Rivest [51] and analyzed it in the so called ideal cipher model . This construction also achieves a somewhat weaker security notion than the one we consider here, ....

R. Canetti, O. Goldreich and S. Halevi. The Random-Oracle Model, Revisited. In Proc. of STOC, pp. 209-218, 1998.

....oracle model involves modelling certain parts of a scheme, in this case the key derivation function, as purely random functions. This is considered to be a good heuristic argument as to the security of the scheme but it also been shown that this does not constitute a formal proof of security [2]. Theorem 1. Suppose there exists an attacker against the IND CCA2 security of ECIES KEM that has advantage #, runs in time at most t and makes at most q D queries to the decryption oracle and q K queries to the random oracle that models the key derivation function. Then there exists an ....

R. Canetti, O. Goldreich, and S. Halvei. The random oracle model, revisited. In Proceedings of the 30th Annual ACM Symposium on the Theory of Computing, pages 209--218, 1998.

....if it were a random oracle i.e. a black box containing a random function which can only be evaluated by making a specific enquiry. Proof in the random oracle model is of course purely heuristic evidence for the security of the scheme and nothing more, in fact a counterexample has been constructed [104] to show that security in the random oracle model does not imply security of the scheme. 5.3.3 E#ciency of security proofs It is possible to develop an explicit quantitative relationship between the di#culty of breaking a cryptosystem and that of the solving the problem on which it is based, so ....

O. Goldreich R. Canetti and S. Halvei. The Random Oracle Model, Revisited. In Proc. of STOC, pages 209--218, 1998.

.... hash function, as discussed above (see [5] for a more complete discussion) The result of this approach is a reductionist proof in the above sense, but the proof is only valid in a parallel universe where magic hash functions exist they do not exist in the real world of computation (see [9]) We stress that the existence of magic hash functions is not a hardness assumption, like factoring large numbers; they simply do not exist. Rather, they are a rough and ready heuristic, much like assuming the earth is flat, and that there is no wind resistance. To analyze a protocol using ....

R. Canetti, O. Goldreich, and S. Halevi. The random oracle model, revisted. In 30th Annual ACM Symposium on Theory of Computing, 1998.

....can be, a random oracle. It is entirely possible that a cryptographic scheme that is secure in the random oracle model can be broken without either breaking the underlying hard problem, or finding any particular weakness in the cryptographic hash function. Indeed, this is amply demonstrated in [CGH98] Our point of view is that a security analysis in the random oracle model is best viewed as heuristic evidence for the security of a scheme. If the only practical solutions to a problem rely on a random oracle argument for their proof of security, fine this is much better than no security ....

R. Canetti, O. Goldreich, and S. Halevi. The random oracle model, revisted. In 30th Annual ACM Symposium on Theory of Computing, 1998. 45

....also relies on the random oracle model, was presented by Tsiounis and Yung [34] Although the ROM is a convenient setting, we do not have a general mechanism for transforming protocols that are secure in the ROM into protocols that are secure in real life. Actually, Canetti, Goldreich, and Halevi [10] prove that there are encryption and signature schemes which are secure in the ROM, but have no secure implementation (replacement of the random oracle by any easy to evaluate function) in the real world (where a random oracle does not exist) Moreover, we do not even know how to specify the ....

R. Canetti, O. Goldreich, S. Halevi, The random oracle model, revisited, In: 30 th Annual ACM Symposium on Theory of Computing (1998).

....types of proofs do not rule out the possibility of breaking the scheme without breaking the underlying intractability assumption. Nor do they even rule out the possibility of breaking the scheme without nding some kind of weakness in the hash function, as shown by Canetti, Goldreich, and Halevi [CGH98]. 1.3 Further progress Subsequent to the publication of the extended abstract [CS98] on which the present paper is based, some further progress in this area has been made. Canetti and Goldwasser [CG99] presented a threshold decryption variant of our scheme. Also, the authors of the present paper ....

R. Canetti, O. Goldreich, and S. Halevi. The random oracle model, revisited. In 30th Annual ACM Symposium on Theory of Computing, 1998.

.... heuristic, it does not rule out all possible attacks: a scheme proven secure in this model might still be subject to an attack in the real world, even though the stated intractability assumption is true, and even if there are no particular weaknesses in the cryptographic hash function (see [CGH]) 1.1 Our contributions We present several new and fairly practical public key encryption schemes and prove them secure against adaptive chosen ciphertext attack. One scheme is based on Paillier s Decision Composite Residuosity (DCR) assumption [P] while another is based in the classical ....

R. Canetti, O. Goldreich, and S. Halevi. The random oracle model, revisited. In Proc. STOC '98, ACM Press, 1998.

....in an idealized model of computation where a hash function is represented by a random oracle. While a proof of security in the random oracle model is certainly preferable to no proof at all, a proof in the real world would be even better. Indeed, recent work by Canetti, Goldreich, and Halevi [3] show that there are cryptographic schemes that are secure in the random oracle model, but insecure in the real world no matter what hash function is chosen. It is not yet clear what the implications of these results are. While it still seems that security in the random oracle model does give ....

R. Canetti, O. Goldreich, and S. Halevi. The random oracle model, revisted. In 30th Annual ACM Symposium on Theory of Computing, 1998. To appear.

....model is not just another assumption, like assuming that a hash function is collision resistant, or that a function is pseudo random. It is a heuristic leap of faith invoking this heuristic is qualitatively a much bigger step than making any particular cryptographic assumption. Indeed, in [CGH98], it is shown that there are cryptosystems that are secure in the random oracle model, but are insecure no matter what hash function is used to implement the random oracle. Despite these problems, the random oracle model is still a useful heuristic and design principle. A proof of security in the ....

R. Canetti, O. Goldreich, and S. Halevi. The random oracle model, revisted. In 30th Annual ACM Symposium on Theory of Computing, 1998.

....AONT, stimulated a lot of subsequent research and achieved essentially the best possible AONT s in the Random Oracle model. However, analysis in the Random Oracle model provides only a limited security guarantee for real life schemes where the random oracle is replaced with an actual hash function [18]. Subsequent to our work, Desai [21] gave another provable construction of an AONT (based on the original informal construction of Rivest [51] and analyzed it in the so called ideal cipher model . 6 This construction also achieves a somewhat weaker security notion than the one we consider ....

R. Canetti, O. Goldreich and S. Halevi. The Random-Oracle Model, Revisited. In Proc. of STOC, pp. 209-218, 1998.

....model is not just another assumption, like assuming that a hash function is collision resistant, or that a function is pseudorandom. It is a heuristic leap of faith invoking this heuristic is qualitatively a much bigger step than making any particular cryptographic assumption. Indeed, in [CGH98], it is shown that there are cryptosystems that are secure in the random oracle model, but are insecure no matter what hash function is used to implement the random oracle. Despite these problems, the random oracle model is still a useful heuristic and design principle. A proof of security in the ....

R. Canetti, O. Goldreich, and S. Halevi. The random oracle model, revisted. In 30th Annual ACM Symposium on Theory of Computing, 1998.

....one way permutation scheme is secure. In the random oracle model, one analyzes the security of the scheme by pretending that a cryptographic hash function is really a random oracle. Now, a proof of security in the random oracle model does not necessarily imply anything about real security (see [CGH98]) Nevertheless, it seems that designing a scheme so that it is provably secure in the random oracle model is a good engineering principle, at least when all known schemes that are provably secure without the random oracle heuristic are too impractical. Subsequent to [BR93] many other papers have ....

R. Canetti, O. Goldreich, and S. Halevi. The random oracle model, revisted. In 30th Annual ACM Symposium on Theory of Computing, 1998.

.... evidence that a scheme cannot be broken however, it is entirely possible that a scheme can be secure in the random oracle model, and yet be broken without violating any particular intractability assumption, and without exhibiting any particular weakness in the cryptographic hash function (see [CGH98]) The random oracle model was rst introduced in an informal way in [FS87] and was later formalized and further developed and applied in [BR93] Subsequently, it has been used to analyze numerous cryptographic schemes (see, e.g. PS96] The standard hash and invert RSA signature is provably ....

R. Canetti, O. Goldreich, and S. Halevi. The random oracle model, revisted. In 30th Annual ACM Symposium on Theory of Computing, 1998.

....can be, a random oracle. It is entirely possible that a cryptographic scheme that is secure in the random oracle model can be broken without either breaking the underlying hard problem, or nding any particular weakness in the cryptographic hash function. Indeed, this is amply demonstrated in [CGH98] Our point of view is that a security analysis in the random oracle model is best viewed as heuristic evidence for the security of a scheme. If the only practical solutions to a problem rely on a random oracle argument for their proof of security, ne this is much better than no security ....

R. Canetti, O. Goldreich, and S. Halevi. The random oracle model, revisted. In 30th Annual ACM Symposium on Theory of Computing, 1998. 45

No context found.

R. Canetti, O. Goldreich and S. Halevi. The Random-Oracle Model, Revisited. In Proc. of STOC, pp. 209--218, 1998.

....that Bellare and Rogaway s Optimal Asymmetric Encryption Padding (OAEP) 2] yields an AONT in the Random Oracle model. However, analysis in the Random Oracle model provides only a limited security guarantee for real life schemes where the random oracle is replaced with an actual hash function [5]. In this work, we give the rst constructions for AONT s with essentially optimal resilience in the standard model, based only on computational assumptions. The key to our approach and our main conceptual contribution is the notion of an Exposure Resilient Function (ERF) a deterministic ....

R. Canetti, O. Goldreich and S. Halevi. The Random-Oracle Model, Revisited. In Proc. of STOC, pp. 209-218, 1998.

No context found.

R. Canetti, O. Goldreich, and S. Halevi, The random oracle model, revisited, http: //eprint.iacr.org/1998/011.

No context found.

R. Canetti, O. Goldreich, and S. Halevi, The random oracle model, revisited, Proc. 30th Annual Symp. Theory of Computing, ACM, 1998, pp. 209-218.

No context found.

Canetti, R., Goldreich, O., and Halevi, S. The Random Oracle Model, Revisited. In Proceedings on 30th Annual ACM Symposium on Theory of Computing (STOC '98) (Dallas, Texas, USA, May 1998), ACM, pp. 209--218.

No context found.

R. Canetti, O. Goldreich, and S. Halevi. The random oracle model, revisited. In Proc. STOC '98, ACM Press, 1998.

No context found.

R. Canetti, O. Goldreich, and S. Halevi. The random oracle model, revisited. In 30th Annual ACM Symposium on Theory of Computing, 1998.

No context found.

R. Canetti, O. Goldreich, and S. Halevi. The random oracle model, revisted. In 30th Annual ACM Symposium on Theory of Computing, 1998.

No context found.

R. Canetti, O. Goldreich, and S. Halvei. The random oracle model, revisited. In Proceedings of the 30th Annual ACM Symposium on the Theory of Computing, pages 209--218, 1998. 65

No context found.

R. Canetti, O. Goldreich, S. Halevi, \The random oracle model, revisited", in proc. STOC '98.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC